Bug#880458: libcatalyst-plugin-static-simple-perl: leaks files without extention, inadvertently

Damyan Ivanov dmn at debian.org
Tue Oct 31 19:42:07 UTC 2017


Package: libcatalyst-plugin-static-simple-perl
Version: 0.31
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=120558

>From upstream changelog for version 0.34:

    Fix security vulnerability, when serving static files with dots in 
    the names (RT#120558)

Catalyst::Plugin::Static::Simple is a plugin for Catalyst, a web 
framework in Perl. Its purpose is to serve static files, and it is 
supposed to only serve files with extensions (from which it determines 
the content type).

Due to the bug, however, any file under a directory whose name contains a 
dot could be served.

the upstream fix is as follows:

--- a/lib/Catalyst/Plugin/Static/Simple.pm
+++ b/lib/Catalyst/Plugin/Static/Simple.pm
@@ -64,7 +64,7 @@ before prepare_action => sub {
     }
 
     # Does the path have an extension?
-    if ( $path =~ /.*\.(\S{1,})$/xms ) {
+    if ( $path =~ /\.([^\/\\]+)$/m ) {
         # and does it exist?
         $c->_locate_static_file( $path );
     }

That is, instead of matching one or more non-space characters between a 
dot (including "/") and the end of the path, match one or more characters 
different from "/" and "\" between a dot and the end of the path.

Cheers,
    dam



More information about the pkg-perl-maintainers mailing list